Why are applications and IT systems mapped to each other in the structure analysis?
Because a system's protection need is inherited from the applications it supports — the application with the highest requirements determines the system's protection need.
In Grundschutz, protection needs flow top-down: business processes → data → applications → systems.
Therefore the structure analysis explicitly records which applications (A) run on which servers (S) and clients (C). For each IT system, its protection need is then derived from the applications it supports:
- The relevant application is the one with the highest security requirements regarding confidentiality, integrity, and availability
- This is the Maximumprinzip (maximum principle)
Without this mapping you could not justify why a particular server needs "high" availability — the justification always traces back to an application (and ultimately a business process) depending on it.